For most of us, the typical phishing scam starts with an urgent text or email from what looks like your bank. Or con artists hide behind a fake FedEx notice that says there's a delivery problem. We're not getting texts, yet, from celebrities.
So, who could imagine being tricked by a text from Drake?
The Drake in this scam, though, isn't the iconic rapper. Instead, it's a tax software company and scammers are impersonating Drake to typically target tax professionals and CPAs, not ordinary taxpayers.
Tax season, which kicked off Jan. 29 when the Internal Revenue Service started accepting and processing 2023 federal income tax returns, is prime time for scammers to hit us with phony emails and texts. The IRS expects more than 146 million individual tax returns to be filed this tax season, which has an April 15 deadline.
We're into a time of the year when a great deal of personal information is being moved around. Con artists want to gain access to Social Security numbers and other information that can be used, the IRS warns, "to prepare authentic looking tax returns to collect a refund — or use it to commit other types of fraud."
Tax-related phishing scams and unsolicited texts even grabbed a top spot on the annual IRS "Dirty Dozen" list for scams in 2023. Some scammers, according to an IRS warning, will use the IRS logo in phishing attempts and claim something like "Action Required: Your account has now been put on hold."
Bottom line: "The IRS initiates most contacts through regular mail and will never initiate contact with taxpayers by email, text or social media regarding a bill or tax refund," the IRS reiterates.
The frightening part is that scammers are going after lots of data when they target a tax pro.
Data breaches, ID theft hit new highs: Here's how to protect yourself
How hackers target tax professionals
"Intricate email scams pose a real risk to tax professionals and the taxpayers they represent," according to an alert issued in early January by IRS Commissioner Danny Werfel.
Cybercriminals can be "masquerading as real taxpayers looking for help," according to the IRS. Or they're impersonating the IRS, state tax agencies, software providers, and banks or credit unions.
The text relating to Drake asks the target to provide a copy of their electronic filing identification number account summary from IRS e-Services, with a status of completed, to Drake for verification. The identification number is used by tax professionals for the electronic filing of tax returns — and it's not something you'd want to hand over to scammers.
Increasingly, though, scammers are trying to steal a tax professional's e-Service account passwords and electronic filing identification number. Sometimes, the IRS notes in an alert, the scammers will pose as the IRS or e-Services.
The IRS said it continuously reviews electronic filing identification numbers and will inactivate numbers that are found to be compromised. But tax professionals are told to take steps, including using strong passwords and not opening links or attachments from suspicious emails. "Most data thefts begin with a phishing email," the IRS states.
Now, even an email from a "new client" needs to be treated suspiciously.
One scam that is targeting tax professionals, the IRS warns, involves emails that pretend to be a "potential new client" who might say "I am searching for another CPA to help handle my taxes."
One email noted: "Is it safe to say that you are accepting new clients for the 2024 tax season? Do you additionally assist with IRS representation?"
The IRS said the agency received hundreds of reports at email@example.com about these emails that pretended to be from new clients.
"The new client scam made up roughly two-thirds of the 400 reports of business email compromise or business email spoofing complaints that came in to firstname.lastname@example.org," the IRS stated.
The actual number of such scam attacks is far larger, of course, given the mass production of such messages.
Tax professionals say they're being inundated with such phishing scams.
"Scammers are always tweaking their scams. They're trying to come up with new ways for people to take the bait," said April Walker, lead manager for tax practice and ethics with the American Institute of CPAs.
She's received emails that pretend to be from potential new clients, which often include a link. Sometimes, the email will include an attachment of a W-2 or last year's tax return.
Walker knows they are a scam; she doesn't even prepare taxes any longer as part of her job.
Walker warned that it used to be fairly obvious that an out-of-the-blue email or a text was the initial step as part of a broader scam. But often scammers are trying very hard to make their emails seem more believable, such as trying to impersonate a friend.
The new phishing email might appear to be from a name you recognize, maybe a friend, colleague or recognized name in the community. That's often because your friend, colleague, or other well-known name had their email account credentials stolen.
How to handle scams
Tax professionals, Walker said, must have an action plan in advance to respond to any data breach. Moving quickly is essential.
Fake emails present a great risk, especially if a tax professional downloads a potential client's tax information or accessing a site with the potential client's tax information.
When that happens, the IRS said, cybercriminals could collect the preparer's email address, password and possibly other information — or load malware onto the tax pro's computer to gain access to the system.
The IRS recommends that tax professionals reach out to report data theft immediately to the local IRS stakeholder liaison. The liaison will notify IRS Criminal Investigation and others with the agency. "If reported quickly, the IRS can take steps to block fraudulent returns in clients' names and take other steps to protect the tax professional their clients," the IRS stated in its alert.
We're also being warned about fake emails involving a request for an e-signature, which allow you to sign a document digitally. You might be asked to provide a password or other personal information. Or there might be a malicious attachment that could lead to download malware. You want to be extremely skeptical about such e-mails and be on alert for fake notifications if you aren’t expecting one.
Impostors have been known to use forged documents, which you're asked to sign and then add some of your confidential information.
Amber Gray-Fenner, an enrolled agent who regularly prepares tax returns for individuals and small businesses in Albuquerque, New Mexico, said she's received several phishing emails and some requesting e-signatures "almost look legitimate."
In one case, she paused to step back and realize that she had given a different email to a contact regarding a conversation on e-signatures than the email address where she received the phishing email.
One email where the sender's name and email looked like a real person, she told me, had the subject line: "Review 8879," which is an e-filing authorization form.
"Those forms do not go through e-mail in my office, and I don't accept e-mailed 8879s from clients," she said. "They have to use my secure portal."
Gray-Fenner added that she has approved channels for "accepting client information and e-mail is not one of them and my clients know it."
By not accepting information from clients via e-mail, she said, phishing attempts stand out from the legitimate e-mail that's hitting her inbox.
Some red flags to consider, she said, include: any hand-drawn squiggles on the graphic; a notice that "E-signature sent you a document." While that could happen when a user hasn't set up their e-signature account properly, she said, it's still a red flag. Any indication that the email was "sent with high importance."
Gray-Fenner noted that most e-signature requests that she receives are from people she's working with directly, such as realtors. And they don't come high importance.
Also pay attention to your own email account. If something is being sent to an email that you've given out often, it's more likely that you could be dealing with a scammer.
What taxpayers should watch out for
Some weeks, your head can spin with all the potential scams lurking around every phone call and text. Scammers are impersonating all sorts of government agencies, not just the IRS.
The Consumer Financial Protection Bureau issued a warning in January about scammers who are using the names of employees at the federal consumer watchdog agency to try to sound more legitimate in their efforts to steal money.
"We’ve heard from people, specifically older adults, who received phone or video calls," the alert stated. Some scammers are claiming that the consumer could participate in a class-action lawsuit, or that they've won a lawsuit but must pay a fee or taxes upfront to collect some claims. Consumers can phone the CFPB call center at 855-411-2372 between 8 a.m. and 8 p.m. ET, Monday through Friday, if they want to confirm that a call is a scam. The CFPB doesn't make such calls.
Hackers also want more personally identifiable information about you so that they can open up credit cards, take out bank loans, and file a fake tax return to falsely claim an inflated tax refund.
Unfortunately, all of this means we need to be more on guard — even when we're swamped with work or other challenges.
Verify the identity of the sender by calling a phone number obtained elsewhere. You do not want to call the number provided in the email or text.
Don't rush if you receive a request to update anything. Scammers impersonate everyone — health care insurers, 401(k) plan providers, your mortgage company and more.
Tax season is an extremely busy time for taxpayers and tax preparers, so scammers also try to strike when someone could be exhausted or under a great deal of stress.
This article originally appeared on Detroit Free Press: Hackers are targeting tax pros: How that hurts taxpayers like you